A Day in the Life of #ApacheModifying the Server header in
Apache 2.0 and 1.3

Editor's note: Rich Bowen tackles an Apache security issue in this latest column based on his conversations on the IRC channel #apache. This month he covers how to get Apache to send a different Server response so that no one can identify what version of Apache you're running, or any of the modules you have installed. The less information your server reveals, the safer it will be from crackers who want to try and break in. Rich is a coauthor of O'Reilly's Apache Cookbook.

#apache is an IRC channel that runs on the irc.freenode.net IRC
network. To join this channel, you need to install an IRC client (XChat, MIRC,
and bitchx are popular clients) and enter the following commands:

/server
irc.freenode.net
/join #apache

Day Nine

A word of warning before we start: the question that we're dealing with today
has a number of answers, and all of them have their drawbacks. It's one of those
questions where it's far more important to understand the question than it is to
know the answer. Um. If that made any sense at all.

So, here we go.

Today, we'll tackle the subject of introducing yourself. When
you meet a new person, you say, "Hello, my name is Eddie Van Zant." (Or, at
least, you do if that's your name. Which it almost certainly isn't. But let's
try not to get sidetracked.)

This response is a reference to the FAQ--a list of the questions that have
been asked frequently enough that it's
worthwhile to write the answers down in one place so that nobody has to ever
answer them again. The answer found there is what most people seem to be looking
for. But not all. So it might be worthwhile backing up a bit and figuring out
why people ask the question at all.

The general idea is that if Nasty People know exactly what version of Apache
you're running, and what additional modules you have installed, this will give
them a much better idea of how they can crack into your server. While this is
probably not true in most cases, it is true in a few circumstances. And, of
course, it's those few circumstances that these Nasty People are looking
for.

A good rule of thumb is that the less information you can give to the
crackers, the better off you'll be. Granted, a lot of this information can be
obtained through a variety of trickier techniques, but there's really no point
in making it easy for them.

So what does the FAQ recommend that you do? Quite simply, it recommends that
you set ServerTokens to Prod, which is short for
ProductOnly. This will cause Apache to return just the string
Apache. That's a bit like being introduced as "Chuck," rather than
"Charles Phillip Arthur George Windsor Mountbatten, The Prince of Wales."

If you are running Apache 2.0, instead of 1.3, that's all you really need to
do. However, if you're running 1.3, there's a small problem. Namely, when you
get an auto-generated page from Apache, such as an error document, for example, it
has a bit down at the bottom called the Server Signature. That looks something
like:

Apache/1.3.29 Server at shiraz.rcbowen.com Port 80

It does this even if you have ServerTokens set to
Prod. It doesn't report your whole module list, but it reports what
version of Apache you're running. In this case, it reports that I'm running
Apache 1.3.29, while I really should have upgraded to 1.3.31 quite some time
ago.

This information can be removed from these pages by the following
setting:

ServerSignature Off

On Apache 2, ServerSignature will never give more information
than ServerTokens.

These recommendations take care of 90 percent of the people that ask this question.
But there's a certain number who always want to push it just that little bit
farther. It's still not good enough that it tells you that it's Apache. They
want it to say that it is "Microsoft IIS/5.0" or "Bob's Happy Httpd," or perhaps
nothing at all. They seem to be reasoning that if the attacker doesn't know that
it's Apache at all, then they'll leave them alone.

There's a problem with this line of reasoning. Two of them, in fact.

The vast majority of attacks are completely scripted. The attacker run a
script, and goes to get a Pop-Tart. When they come back, they have their list of
compromised hosts. The automated attacks are run against the target servers,
regardless of whether they are running Apache, IIS, or OmniWeb on OS/2. It just
doesn't matter. That's why you end up with so many IIS-related attack entries in
your error_log file.

Also, if someone really wants to know what web server you are running, they
can find out with a technique known as fingerprinting. Because each web server
handles HTTP requests slightly differently, due to differences in
interpretations of the HTTP specifications, or other subtle things, it's
possible to make a request, look at the response, and determine what web server
the target is running. Thus, it makes very little difference whether a server
reports that it is running Apache 2.0.49 or "Wally's Wonderful Webserver," if
the attacker is really dedicated.

You will find a number of web sites that suggest that you can simply use the
Header set notation to modify the Server header on
Apache 2.0. This turns out to be false.

If you happen to be running mod_security (you really should be),
you can modify the Server header using the SecServerSignature
directive:

SecServerSignature "Wooga-Woo/8.4

While this may seem like a great deal of trouble to go to for a relatively
small gain, it is true that every little bit helps. The less information you can
give out, the better chance you have of avoiding unauthorized entry. Or, at
least, you can slow them down and thus increase your chances of catching
them.

If you want to discuss this further, please drop by #apache some time.